7.1 Account Domain

An account domain is a representation of different types of servers, databases, or applications. It stores the details about the server such as, DNS name, IP address, port number, and policies with default credentials. You can create multiple account credentials for a single account domain.

You can use the account credential of a privileged account to perform the following actions:

  • Access a privileged session

  • Allow privileged users access to endpoints such as systems, databases, and applications by using the account credentials in a policy (Command Control rule)

  • Allow a privileged user to use a root or an administrator access on a server

Privileged Account Manager allows you to add the following types of account domains:

The following sections provide information about creating account domains and securing account credentials. For information about how to create an account domain on a database or applications, refer to Section 19.0, Privileged Access to Applications and Cloud Services.

7.1.1 Creating an Account Domain for Windows Systems

Finding an Account Domain

  1. On the home page of the console, click Enterprise Credential Vault.

  2. In the left pane, click Credential Vaults.

  3. In the middle pane, select the required domain type.

  4. On the bottom of the pane, type the account domain that you require, then click Search.

    If you require to modify that account domain you can modify it by clicking the modify icon.

Adding an Account Domain

  1. On the home page of the console, click Enterprise Credential Vault.

  2. In the left pane, click Credential Vaults.

  3. In the middle pane, click Add Account Domain.

  4. In the right pane, specify the following information:

    Name: Specify the name of the domain. For example, if your Active Directory domain is DC=PAMDOMAIN,DC=com, specify the value for this field as pamdomain. This name is used along with the Credential to authenticate. If you do not provide the correct domain name, user authentication fails.

    Type: Select the required account type from the list.

    Profile: Select the profile for the user.

    Based on the type of the account that you select in the Type field, specify the following:

    NOTE:If the type of account is database, or application refer Section 19.0, Privileged Access to Applications and Cloud Services.

    LDAP: If the account type is LDAP, specify the following:

    LDAP URL: Specify the DNS name. For example: netiq.com

    Base DN: To display the domain name, click Lookup.

    Scope: Select the scope for the user.

    Account: Specify the account name of the domain user. For example: administrator

    Anonymous: Select this option to enable anonymous access to the LDAP directory.

    User DN: Specify the complete name for the domain user. For example: CN=administrator,CN=Users,DC=netiq,DC=com

    Password: Specify the password for the domain user account.

    To add additional fields, you can use Add Custom Fields.

  5. Click Add to save the account domain details.

An account domain and a credential is created for the specified domain. To add multiple credentials continue with Adding Credentials.

Modifying an Account Domain

  1. On the home page of the console, click Enterprise Credential Vault.

  2. In the left pane, click the Credential Vaults.

  3. In the middle pane, select the account domain you want to modify.

  4. Click the modify icon.

  5. Specify the following information:

    Name: Specify the name of the domain.

    Type: Select LDAP as the account type for the user.

    Profile: Select the profile for the user.

    Base DN: To display the domain name, click Lookup.

    Scope: Select the scope for the user.

    Account: Specify the account name of the domain user. For example: administrator

    Credential: Select a credential for the domain.

  6. Click Add to save the account domain details.

Deleting an Account Domain

  1. On the home page of the console, click Enterprise Credential Vault.

  2. In the left pane, click Credential Vaults.

  3. In the middle pane, select the account domain you want to delete, then click the delete icon.

  4. In the right pane, click Finish.

    The account domains are deleted, and are also removed from any other account groups, rule conditions, and script entities where they have been defined.

Viewing Credentials

To view the credentials for any domain, perform the following:

  1. On the home page of the console, click Enterprise Credential Vault.

  2. In the left pane, click Credential Vaults.

  3. In the middle pane, click the required account domain type.

    For example, if you require to modify credentials for a Windows domain, click the Windows tab.

  4. In the middle pane, click the key icon next to the required domain.

Adding Credentials

To add multiple credentials to the existing account domain do the following:

  1. On the home page of the console, click Enterprise Credential Vault.

  2. In the left pane, click Credential Vaults.

  3. In the middle pane, select the type of the account domain.

  4. Click the key icon for the required account domain.

    The available credentials are displayed in the right pane.

  5. In the right pane, click Add to add more credentials and specify the following details:

    Account: Specify the account name of the domain user. For example: administrator.

    User DN: Specify the complete name for the domain user. For example: CN=administrator,CN=Users,DC=netiq,DC=com

    Password: Specify the password for the domain user account.

  6. Click Add to save the account domain and credential details.

Modifying Credentials

To modify credentials of the account domain of any type, perform the following:

  1. On the home page of the console, click Enterprise Credential Vault.

  2. In the left pane, click Credential Vaults.

  3. In the middle pane, click the required account domain type.

    For example, if you require to modify credentials for a Windows domain, click the Windows tab.

  4. In the middle pane, click the key icon next to the required domain.

  5. In the right pane, click the modify icon next to the required credential.

  6. Modify the required fields, then click Modify.

Deleting Credentials

To delete credentials of the account domain of any type, perform the following:

  1. On the home page of the console, click Enterprise Credential Vault.

  2. In the left pane, click Credential Vaults.

  3. In the middle pane, click the required account domain type.

    For example, if you require to modify credentials for a Windows domain, click the Windows tab.

  4. In the middle pane, click the key icon next to the required domain.

  5. In the right pane, click the delete icon next to the credential that you want to delete.

  6. Click Finish.

7.1.2 Creating an Account Domain for Linux or Unix Systems

Adding an Account Domain

  1. On the home page of the console, click Enterprise Credential Vault.

  2. In the left pane, click Credential Vaults.

  3. In the middle pane, click Add Account Domain.

  4. In the right pane, specify the following information:

    Name: Specify the IP address or full name of the host.

    Type: Select SSH as the type for the user.

    SSH Host: Specify the IP address or the full name of the host.

    SSH Host Key: Click Lookup to populate the host key, otherwise manually specify the SSH host key.

    Credential Type: In the drop-down list select either Password or SSH Private Key.

    Account: Specify the account name of the domain user. Example: root.

    Password: Specify the password for the domain user account, if you have selected credential type as Password.

    Private Key: Generate the key pair and copy the private key content here, if you have selected credential type as SSH Private Key.

    To generate the key pair do the following:

    1. Open an terminal to the remote host and browse to the /root/.ssh folder

    2. Type ssh-keygen -t rsa

      Public and private keys are generated.

    3. Copy the content of the public key to the authorized_keys file. If the authorized_keys file does not exist, you must create the file and paste the public key.

    4. Copy the content of the private key to the Privileged Account Manager SSH private key.

    Passphrase: Specify the passphrase that was entered while generating the key pair.

    To add additional fields, use Add Custom Fields.

  5. Click Finish to save the account domain details.

Modifying an Account Domain

  1. On the home page of the console, click Enterprise Credential Vaults.

  2. In the left pane, click Credential Vaults.

  3. In the middle pane, click the modify icon for the account domain you want to modify.

  4. In the right pane, specify the following information:

    Name: Specify the IP address or full name of the host.

    Type: Select SSH as the account type for the user.

    SSH Host: Select the host for the user.

    SSH Host Key: Click Lookup to populate the host key, otherwise manually specify the SSH host key.

    Credential: Select a credential for the user.

  5. Click Modify to save the account domain details.

Deleting an Account Domain

  1. On the home page of the console, click Enterprise Credential Vaults.

  2. In the left pane, click Credential Vaults.

  3. In the middle pane, click the delete icon for the account domain you want to delete.

  4. In the right pane, click Delete.

    The account domains are deleted, and are also removed from any other account groups, rule conditions, and script entities where they have been defined.

7.1.3 Creating Account Domain for Database

You can create an account domain for databases to share the database account credentials to privileged users by using the credential checkout feature. For more information about the credential checkout feature for databases, refer Configuring Credential Checkout for Oracle Database and Configuring Credential Checkout for Other Databases.

7.1.4 Creating Account Domain for Application

You can create an account domain for applications to share and manage an application’s account credentials to privileged users by using the credential checkout feature. For more information about shared accounts and the credential checkout feature, refer Enabling Credential Checkout for Applications.

7.1.5 Specifying Password Policies

You can specify password policies so that when the password is reset through Credential Vaults, the specified password policy is applied.

  1. On the home page of the console, click Enterprise Credential Vault.

  2. In the left pane, click Password Policies.

    Default Password Policy is displayed. You can modify the Default Password Policy but you cannot delete it.

  3. (Conditional) If you want to modify the default password policy, click Default Password Policy then click the modify icon.

  4. (Conditional) If you do not want to modify the default password policy, click Add and create a new password policy.

  5. Add the details and click Finish.

7.1.6 Modifying Password Policy

To modify any password policy, perform the following steps:

  1. On the home page of the console, click Enterprise Credential Vault.

  2. In the left pane, click Password Policies.

  3. In the middle pane, click the modify icon next to the policy that you require to modify.

  4. In the right pane, make the required changes, then click Modify.

7.1.7 Deleting Password Policy

You can delete the password policy that is not required but the default policy cannot be deleted. To delete a password policy perform the following steps:

  1. On the home page of the console, click Enterprise Credential Vault.

  2. In the left pane, click Password Policies.

    You can modify the Default Password Policy but you cannot delete it.

  3. In the middle pane, click the delete icon next to the policy that you require to delete.

  4. In the right pane, click Finish.